The invention concerns a method for controlling access to a data network with a data source and a plurality of end points engaged in data exchange with the data source, in which a user identification of a user working at an end point is checked by the data source and authorizations for the data processing that are associated with the user identification are granted to the user.
Such methods for controlling the access to a data network are generally known and serve for the authentication and authorization. The authentication is the process via which the identity of the user working with the end point is established. An end point is defined as a logical or physical unit that is designed to permit a user to exchange data with the data source via a user interface. The authorization is the procedure via which authorizations for manipulation of data are granted to a successfully authenticated user. The data are typically administered in a central data source, e.g., a data server. The authorization can thereby ensue on the basis of roles or groups.
A functional authorization is based on roles and assigns to the user the authorization for execution of specific work steps in a work process. Such work steps can, for example, comprise the quality assurance, the interpretation of image data, or the verification of image data.
The authorization for data access is based on the classification of the users in groups. Authorizations for access to a subset of the available data are granted to the user based on the associability of a user with a specific group.
In the medical field, image archiving and communication systems (what are known as PACS (Picture Archiving and Communication Systems) are operated on the basis of digital computers and networks. The PACS particularly serve to process and to administer diagnostic data of all types, for example, image data acquired in radiology and nuclear medicine.
The digital image data supplied by the diagnosis apparatuses, together with information about the identity of the patient as well as with information about the clinical question and the results of the examination, are typically stored on a central server (what is known as the PACS server). The image data generated by the diagnosis apparatuses can be retrieved from the PACS server at special workstation computers. In the event that it is required, the image data are digitally post-processed or subsequent structure measurements are implemented. After the assessment of the images in light of an illness history, a physician specializing in the implementation of diagnoses with the diagnosis apparatus generates a medical assessment report that is, for the most part, dictated and subsequently set in writing and associated with the image data. In the station and polyclinic field, treating physicians can then view the image data and the finding on typical workstation computers.
The diagnosis apparatuses, the PACS server, and the workstation computers for the physicians concerned with the diagnosis and the treatment thus form what is known as the PACS core system.
In order to enable an embedding of the entire PACS in a network with further components such as imaging systems (modalities) and image processing stations, the exchange of medical images is organized corresponding to the DICOM (Digital Imaging and Communication in Medicine) standard. With the aid of the DICOM protocol, the data exchange occurs between DICOM nodes that must be known to one another for the data exchange. The DICOM nodes do not necessarily have to be linked with a physical apparatus. Rather, DICOM nodes can be distributed on a plurality of physical apparatuses. A physical apparatus can likewise present a plurality of DICOM nodes.
The DICOM nodes provide services and applications that are also designated as application units (application entities). The application entities can be unambiguously identified within the network with the aid of a logical address, what is known as the AET (Application Entity Title).
The application entities provide services for exchange of medical image data. Such services can, for example, be services for sending and receiving images (DICOM STORE) or services for querying information (DICOM QUERY). Differentiation is made between SCU (Service Class Users) and SCP (Service Class Providers). SCUs use the services of SCPs. For example, to send images from one DICOM node to another DICOM node, the sending service must be a DICOM STORE SCU while the receiving service must be a DICOM STORE SCP.
An application entity with a specific logical address can comprise a plurality of services. For example, an application entity with the application identifier AET1 can comprise the services STORE SCP, STORE SCU, QUERY SCP and QUERY SCU. A further DICOM node can comprise two application entities, for example, an application entity with the application identifier AET2A with the services STORE SCP and STORE SCU as well as a further application entity with the application identifier AET2B with the services QUERY SCP and QUERY SCU.
In the framework of the DICOM standard, components of the PACS core system can represent DICOM nodes. However, external DICOM nodes that are not components of the PACS core system can also exist in addition to these.
Within the PACS core system, the authentication and authorization of the users represents no problem, however, since non-DICOM protocols that allow an authorization and authentication of the users can be used for the data exchange and the access control.
But this works differently with the external DICOM nodes. In principle, the external DICOM nodes are in the position to query data from the central PACS server via the DICOM protocol. With the adoption of the DICOM Supplement 99—Extended Negotiation of User Identity, mechanisms were described that enable the transmission of the user identity, for example, upon data queries.
However, a requirement for this is that the user identity is transferred to the querying nodes. In consideration of the fact that the systems installed today typically do not offer this functionality, the implementation of this standard cannot be assumed in the next few years. Therefore, given a data query that emanates from an external node, the PACS server has two possibilities in principle: either an unlimited data access or no data access is granted. From the viewpoint of data security, both possibilities are unsatisfactory and do not satisfy the legal requirements for the security of the data.
The handling of data queries from external DICOM nodes that cannot be authorized moreover ties up resources and represents an additional network load that should be avoided if possible.